Jusletter IT

Among privacy protection tools, privacy impact assessment (PIA) recently got high on policy-makers’ and academia’s agendas. PIA has been defined in various ways, but essentially it is a systematic process for evaluating the potential effects on privacy of a project, initiative, or proposed system or scheme and finding ways, in consultation with stakeholders, to mitigate or avoid any adverse effects (Wright 2011, p. 123). As a matter of fact, the proposed General Data Protection Regulation in Art 33 provides for a data protection impact assessment framework.1

If we were to summarise briefly PIA advantages, we would point out identification and mitigation of risk (and evidence thereof); enhancement of informed decision-making; confirmation that an entity takes privacy seriously; avoidance of reputation loss and of unnecessary costs, among others (Wright 2012, p. 55). Stewart further adds that businesses able to sustain a high level of trust and confidence can differentiate themselves from their rivals and thereby gain a competitive advantage (Stewart 2007). Opponents would probably view PIA as a regulatory burden, needless expense and a cause for delays, especially when it is mandatory. It is not surprising that some of the business community would support PIA if it were quick, simple and cheap.

From a legal viewpoint, one of the most interesting benefits for business seems to be the effect of PIA on civil liability for privacy intrusions sensu largo. Unless PIA is already mandatory for all sectors, regulators need to provide incentive to conduct PIA and thus potential limitation or even exclusion of civil liability seems attractive. We are interested in the question of whether, in the case where harm is caused by a privacy intrusion sensu largo, a wrongdoer could be exempted from civil liability had a good PIA not foreseen threats.

In this paper, we try to understand why PIA can mitigate or even eliminate this liability by going back to its foundational principle, the precautionary principle, and the manner in which it impacts civil liability.

In the first part, we will explain what the precautionary principle is, and why it is best suited as a principle of action in the framework of uncertain risks that characterise “technical societies”. Next, as precaution has some consequences in terms of civil liability, we explore how civil liability – both strict and fault-based – can be envisaged from the point of view of precaution. In both cases, precaution can be used for waiver of liability. In the case of fault-based liability, though it stretches the notion of fault (or care) to its extreme limits, it will be used to demonstrate that no fault was committed. In the case of strict liability, it will be used to show that the defendant was in the situation foreseen by the so-called development risk defence, if applicable. We conclude by arguing that, in the case of privacy, PIA is an implementation of precaution. Hence, PIA can be used to mitigate liability, independent of the unresolved question of the nature of liability for privacy intrusions sensu largo: strict or fault-based.

Tools of risk assessment, including PIA (cf. infra, section 5.1), are one of the many applications of the precautionary principle. Its satisfying description can be found in the French Loi Barnier: the precautionary principle is a principle according to which “uncertainty caused by a lack of sufficient scientific and technical evidence should not refrain the adoption of effective and proportionate measures aiming at preventing the advent of a grave and irreversible damage to the environment, whose cost is economically acceptable.”² In other words, the precautionary principle should guide governments’ actions in situations characterised by risks that are not constitutive of acute identified and informed dangers against which governments should take “preventive” action (risks are known, pre-emptive action can be taken). Its purpose is to minimise risks not presently acute nor clearly identified or informed but that, according to indications or uninformed abnormalities, may occur or become evident in the long term, and hence to maintain a margin for future developments (Hilty 2005, p. 27).

Kourilsky distinguishes between potential risks (i.e. uncertainties) and proven risks (i.e. acute dangers, “known” risks). The former will trigger a government response based upon the precautionary principle, whereas the latter will lead to a decision taken in the framework of the danger aversion principle (i.e. prevention) (Kourilsky 2002, p. 51). As Godard puts it, the precautionary principle aims not only at dangers and risks whose causes are undetermined, but whose very existence is problematic and yet unascertained (Godard 2000, p. 6). In its judgement on the validity of the Commission’s decision banning the exportation of beef from the UK, the ECJ has ruled “where there is uncertainty as to the existence or extent of risks to human health, the institutions may take protective measures without having to wait until the reality and seriousness of those risks become fully apparent.”3

The precautionary principle thus commands that in the face of a potential risk, action must be taken at the earliest possible stage. The decisional space where the precautionary principle lies is this “in-between”, where the level of scientific knowledge is not comprehensive enough to bring certainties concerning the existence of a particular danger, but is nonetheless sufficiently developed or informed by “the concerned” (“les riverains”) in order to raise questions and hypotheses relating to the existence of such dangers (Godard 2000, p. 14).

Understanding precaution as a principle of action requires determining the kind of actions that can be undertaken. Some procedural principles can be of help in that respect, such as comparing the merits and costs of different approaches or the need to take provisional measures (i.e. measures that can be revisable according to the evolution of scientific knowledge) (Kourilsky 2002, pp. 57-66).4 As the European Commission points out, “recourse to the precautionary principle does not necessarily mean adopting final instruments designed to produce legal effects”.⁵ On the contrary, the appropriate response in a given situation is the result of an eminently political decision (since science cannot provide answer or even questions) that weighs the acceptable level of risk and uncertainty that can be imposed on society, considering the particular risk or uncertainty at hand. Hence, in the face of a potential risk, the decision not to take any action may also be a valid response. Equally, the funding of a research programme or the decision to inform the public on the possible dangers of a phenomenon are also part of this wide range of actions that can be taken under the precautionary principle (Kourilsky 2002, pp. 57-66).

In the preceding paragraphs we have tried to explain how precaution is a principle for action in the face of uncertain risks. In other words, in the face of uncertainty one has to act, although no specific type of action is prescribed. Consequently, it could be argued that precaution is about determining the best course of action. From the point of view of civil liability, this corresponds to the duty of care in fault-based liability regime. Hence, taking the wrong actions or not acting at all would amount to negligence, thereby triggering civil liability.

However, because of its nature inherently entangled to uncertain risks (as opposed to classical civil liability), precaution sheds a new light on the duty of care (Sadeleer 2002, p. 212.). In other words, because precaution is about taking actions, civil liability can only be understood in this perspective with reference to the duty of care (Sadeleer 2002, p. 216).

In fault-based liability regimes, the notion of fault has been defined with regard to the duty of care. Indeed, one would be at fault if she did not take normal and reasonable care. Usually the duty of care is associated with the logic of prevention and certain, foreseeable risks: a person would violate her duty of care by not taking all the reasonable measures (cf. the standard of the bonus pater familias) in the face of a well-understood and foreseeable risk. However, the ethics of precaution leads to a modification of this duty of care: it is not enough for one person to take all the preventive measures against a well-ascertained risk, since precisely precaution should be factored into a situation where the very existence of risks is at stake. Therefore, in the face of an uncertain risk, a person would be at fault (by violating the duty of care), if she took no precautionary measures and thus if she took no action,⁶ that is, if she failed to explore all the potential risks posed by the activity of concern.

Hence, the principle of precaution translates less into a duty of care than into a duty to investigate. Fault would not be determined in relation to the information at hand, but also the information that should have been known, including working hypotheses not yet fully proved at the time of the event (Sadeleer 2002, pp. 212-213). Uncertain risks entail recourse to precautionary action, which in turn transforms the duty of care into a duty of “highest” or “utmost” care.

It could be argued that this extended duty of care stretches the notion of fault in such a broad fashion that it would end up transforming fault-based liability into strict one. For instance, under the Dutch tort law anyone who creates a danger is under a duty to prevent damage arising as a result of that danger. Equally, a person who fails to take measures to that effect or does so inadequately will be liable for the ensuing damage (Sadeleer 2002, p. 213).7 It appears quite clearly that one is at fault for any damage caused to a third person, since one is under the duty to prevent any damage from occurring. Being liable for any damage is precisely what strict liability is about. However, this duty of care is not unlimited, in that a person who is not aware and is not legally obliged to be aware of a possible danger cannot be deemed to have acted negligently (Sadeleer 2002, p. 213).

Posing some limits to the precautionary duty of care entails remembering that the classical duty of care is solely triggered in the case of foreseeable damage. The question of the foreseeability of damage is related to the triggering of precautionary measures. (From which degree of uncertainty should a risk be taken into account? Should totally hypothetical risks be considered?) In civil liability, it is enough that the damage is foreseeable in abstracto (only the complete unforeseeability could justify the exoneration from liability). Such a restrictive definition of unforeseeability is largely compatible with the ethos of precaution and avoids transforming precautionary fault-based liability into strict liability. In other words, is it fair to hold an entity liable where it was unable to foresee the damage or to avoid it? If we are of the opinion that this is not the case, it is therefore essential to distinguish between a person who could have not, in the strict sense, known the consequences of her activities, and a person who could have been aware of them had she taken the trouble to explore more carefully the risks the said activities posed to the environment. Only the activities of the latter should be judged according to precaution. In other words, one must be in the situation wherein she has the possibility to detect a risk and act accordingly. Only, in this situation will the precautionary duty of care be triggered (Sadeleer 2002, pp. 214-215).

Such a limitation to the duty of care is very similar to the so-called development risk defence that is found, among others, in the Environmental Liability Directive or the Product Liability Directive.

There often is a higher standard of civil liability for damages caused by dangerous activities. Strict liability is either aimed at deterring or at facilitating recourses to justice by individuals in order to get compensation for damages. Just as a person taking benefits from a dangerous activity should compensate the disadvantage of other persons, these people simply do not need to prove that the person was at fault.

However, in order to find a balance between the need for innovation, which often involves uncertainty, and the interests of individuals as well as of the society at large, an entity could waive its liability by resorting to the development risk defence. Lack of such waiver could, it is argued, have a detrimental effect: it would stifle innovation and negatively impact a variety of products and services. With regard to liability for defective products, the European Commission has pointed out that the occurrence of the development risk seems most likely in the following sectors: pharmaceutical products, chemical substances, genetically modified organisms and foodstuffs.⁸

In the following paragraphs we will analyse the mode of operation of the development risk defence in the framework of the Environmental and Product Liability Directives. We will see that this defence could apply to both fault-based and strict liability regimes.

The Environmental Liability Directive⁹ imposes two standards of liability for environmental damage, depending on its gravity. The first liability scheme applies to the dangerous or potentially dangerous occupational activities listed in Annex III to the Directive. These include activities with regard to dangerous chemical substances, waste management and genetically modified organisms, among others. The operator may be held responsible even if she is not at fault; this is strict liability [Art 3(1)(a)]. The second scheme applies to all occupational activities other than those listed in Annex III, but only where there is damage, or imminent threat of damage, to species or natural habitats. Here the operator will be held liable only if she is at fault or negligent [Art 3(1)(b)].¹⁰

As Hedemann-Robinson pointed out (Hedemann-Robinson 2007, p. 513), the Directive employs a unique and pragmatic approach in applying civil liability to an environmental context. The orthodox remedy of monetary compensation is excluded from the range of available legal remedies. Instead, in order to ensure rectification of actual or threatened environmental damage, the Directive imposes an obligation on the operators to take either preventive action, if damage has not yet occurred but there is an imminent threat thereof (Art 5), or remedial action (Art 6), when damage has already occurred. As a general rule, the operator shall bear the cost of these actions (the “polluter pays” principle).

However, the Member States may allow the operator not to bear the cost of remedial actions where she demonstrates that: (1) she was not at fault or negligent, and (2) the environmental damage was caused by an emission or activity, or any manner of using a product in the course of an activity, which was not considered likely to cause environmental damage according to the state of scientific and technical knowledge at the time when the emission was released or the activity took place [Art 8(4)(b)].

In the Product Liability Directive,¹¹ the producer is not liable if she proves that the state of scientific and technical knowledge at the time when she put the product into circulation was not such as to enable the existence of the defect to be discovered, i.e. the development risk defence [Art 7(e)]. However, as such a possibility offered to a producer to free herself from liability may be felt in certain Member States as restricting unduly the protection of the consumer, it is possible for a Member State to maintain or provide that this exonerating circumstance is not admitted [Recital 16, Art 15(1)(b)]. Yet only in a few Member States is the producer liable also in case of development risk (Luxembourg and Finland), while in others, this liability limited to specific product sectors.

In Commission v the UK,¹² the ECJ has explained that “in order to have a defence under Art 7(e) of the Directive, the producer of a defective product must prove that the objective state of scientific and technical knowledge, including the most advanced level of such knowledge, at the time when the product in question was put into circulation was not such as to enable the existence of the defect to be discovered. Further […] that knowledge must have been accessible at the time when the product in question was put into circulation.” The notion of accessibility of the knowledge recalls very much patent law, where an invention shall be considered to be new if it does not form part of the state of the art. The state of the art comprises everything made available to the public by means of a written or oral description, by use, or in any other way.¹³ Further analysis of this notion falls outside this paper.

Yet there is not much case law interpreting the development risk defence with regard to Art 7(e).¹⁴ Most often, these cases deal with an infection transmitted via blood transfusion (e.g. hepatitis C or HIV). In the UK, in A v National Blood Authority,¹⁵ the Court held that “if there is a known risk, i.e., the existence of the defect is known or should have been known […], then the producer continues to produce and supply at his own risk. It would […] be inconsistent with the purpose of the [Product Liability] Directive if a producer, in the case of a known risk, continues to supply products simply because, and despite the fact that, he is unable to identify in which if any of his products that defect will occur or recur, or, more relevantly in a case such as this, where the producer is obliged to supply, continues to supply without accepting the responsibility for any injuries resulting, by insurance or otherwise. […] Once the existence of the defect is known, then there is the risk of that defect materialising in any particular product.”

The Court further held that “the risk ceases to be a development risk and becomes a known risk not if and when the producer in question […] had the requisite knowledge, but if and when such knowledge were accessible anywhere in the world […]. Hence it protects the producer in respect of the unknown.” The development risk defence serves only to protect the producer from unknown risks (Ashurst 2006, p. 2).

In the Netherlands, in the Sanquin Foundation case,¹⁶ the Court held that Foundation, which had supplied the blood, was entitled to rely on the development risk defence. It had acted in compliance with the scientific and technical learning available at the moment of the blood donation and its delivery to the claimant (Bisschop 2011, p. 247).17 The infection had not been detected as the donor had only just contracted the HIV virus and his infection was in the three-month “window period” when detection was not possible by screening. This decision of the Amsterdam District Court has received considerable criticism (Ashurst 2006, p. 3).

It could be argued that the development risk defence reintroduces the notion of fault. In order to invoke this defence, an entity has to show it fulfilled its duty of care to acquire the state of scientific and technical knowledge when the product was designed and developed or the activity was undertaken. In other words, it might be required to demonstrate it was not negligent with regard to such knowledge. For instance, in the UK, in IBA v. EMI Electronics Ltd.¹⁸ the designer of a radio mast that collapsed in conditions of high winds and ice was found liable for failing to investigate fully the possible effects of such conditions on the structure (Deakin 2003, p. 636). In Germany, the Federal Court of Justice held on 2 February 1999 that if, following the proper use of a product, damage is caused because the product is defective, then the producer must show that it did not breach its duty of care and that it did not therefore act negligently (Best 2002).19

In the two previous sections we have made observations on the concept of civil liability in situations of uncertainty. On the one hand, it appears that situations of uncertain risk stretch the notion of fault to its most extreme limits, nearly transforming it into strict liability. The only limit to an otherwise limitless duty of care is precisely the situation foreseen by the development risk defence. On the other hand, we have also observed that this defence can operate as an exception to strict liability regimes. Indeed, because of the existence of uncertain risks, the liability of actors cannot be absolute. The development risk defence limits this otherwise absolute liability by reintroducing the notion of fault, and more precisely, a duty of care that is similar to the one described in the case of fault-based liability.

Hence, it seems that situations of uncertainty (and the precautionary principle, which is the framework of action in such situations) reshape the notions of fault-based liability and strict liability by mitigating the difference between the two, and by creating increasing convergence.

Consequently, not only has the precautionary principle a role to play in both strict and fault-based liability regimes, but it can also serve as a basis to argue for a waiver of liability in both situations. The question then is the following: can the foregoing conclusions apply to PIA?

We are of the opinion that the foregoing considerations on the relation between precaution and civil liability are relevant to PIA, since we argue that PIA is one of the ways to implement the precautionary principle.

As seen is section 2 supra, precaution is a principle that is definitely located in the broader framework of risk analysis and which concerns a specific type thereof: uncertain ones. Consequently, and given the delicate nature of such risks, some authors have substantiated the precautionary principle by determining that its implementation is constituted of two stages: risk assessment and risk management (Deakin 2003, p. 636). Equally, Zander suggests that, in the framework of precaution, risk regulation is composed of risk assessment and risk management (Sadeleer 2007, pp. 18-20; Zander 2010, p. 15). As the European Commission argues, any approach based upon the precautionary principle should start with an (scientific) evaluation as complete as possible.20

Along with de Sadeleer, we consider impact assessment (be it in the field of privacy or environmental protection) as one way of implementing the precautionary principle, since just like risk assessments, it is precisely about reducing the “uncertainties associated with the potential impacts of a project” (Zander 2010, p. 17). In this case we may add the assessment of the risks is concentrated on the possible outcomes of the project.

Therefore, as a kind of risk assessment and risk mitigation tool, PIA is an implementation of the precautionary principle. Costa further argues that prior checking, a forerunner to PIA, envisaged in Art 20 of the Data Protection Directive,²¹ is such an implementation too (Costa 2012, p. 18). However, there is no specific prevision in relation to the realization of risk assessments (see also Wright & De Hert 2012).

And how is this possibility to waive civil liability connected with PIA? A good PIA, understood as a process, shows what was uncertain when a technology was designed and developed or activity undertaken, what was the state of the art, and how these uncertainties were addressed. Next, a good PIA report serves as evidence. These have a profound impact on civil liability. (By “good PIA” we mean the one that duly satisfies all its formal requirements.)²²

First, a PIA is a form of precaution through its two main objectives: risk assessment and risk mitigation. If a good PIA had not foreseen damage caused by a privacy-intrusive technology, having fulfilled the duty of investigation, an entity will not be liable. Second, a PIA can be used to invoke the development risk defence, if applicable. If a good PIA had not foreseen damage caused by a technology by an objective demonstration of compliance with the state of the art at the time when technology was launched, an entity would not be liable.

We have shown that regardless of the civil liability standard, be it fault-based or strict, a good PIA – in certain situations – could waive such liability. This is a crucial incentive for a business to actually carry out a PIA. Therefore, to the typical list of PIA benefits, we add the following one: impact on liability.

Bibliography

Ashurst (2006). Interpretation of the Product Liability Directive.

Best, R. (2002). "A Comparison of Civil Liability for Defective Products in the United Kingdom and Germany." German Law Journal 3.

Bisschop, K., Jelsma, K. (2011). Netherlands. The International Comparative Legal Guide to: Product Liability 2011 - A practical cross-border insight into product liability work. London, Global Legal Group Ltd.

Callon, M., Lascoumes, P., Barthes, Y. (2001). Agir dans un monde incertain, essai sur la démocratie technique. Paris, Seuil.

Costa, L. (2012). "Privacy and the precautionary principle." Computer Law & Security Review 28: 14-24.

Deakin, S., Johnston, A., Markesinis, B. (2003). Markesinis and Deakin's Tort Law. Oxford, Clarendon Press.

Godard, O. (2000). "Le principe de précaution, une nouvelle logique de l’action entre science et démocratie." Philosophie Politique 11.

Hedemann-Robinson, M. (2007). Enforcement of European Union Environmental Law - Legal Issues and Challenges. London, New York, Routledge Cavendish.

Hilty, L., Som, C. (2005). "The Precautionary Principle, Sustainability and Ethical Aspects of the Information Society". The Precautionary Principle in the Information Society - Effects of Pervasive Computing on Health and Environment. L. Hilty, Behrendt, S., Binswanger, M., Bruinink, A., Erdmann, L., Fröhlich, J., Köhler, A., Kuster, N., Som, C., Würtenberger, F. Berne, TA-SWISS: 27-44.

Kourilsky, P. (2002). Du bon usage du principe de précaution. Paris, Odile Jacob.

Sadeleer, N. d. (2002). Environmental Principles - From political slogans to legal rules. Oxford, Oxford University Press.

Sadeleer, N. d. (2007). "The precautionary principle in European Community health and environment law: sword or shield for the Nordic countries?" Implementing the Precautionary principle - Approaches from the Nordic countries, EU and USA. N. d. Sadeleer. London, Sterling, Earthscan: 7-58.

Stewart, B. (2007). Privacy Impact Assessment Handbook. Wellington, Auckland, Office of the Privacy Commissioner.

Wright, D. (2011). "Should Privacy Impact Assessments Be Mandatory?" Communications of the ACM 8: 121-131.

Wright, D. (2012). "The state of the art in privacy impact assessment." Computer Law and Security Review 28(1): 54-61.

Wright, D., De Hert, P., Ed. (2012). Privacy Impact Assessment. Law, Governance and Technology. Dordrecht, Heidelberg, London, New York, Springer.

Zander, J. (2010). The Application of the Precautionary Principle In Practice - Comparative Dimensions. Cambridge, Cambridge University Press.